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How Sercomm saved my Easter! 



Another backdoor in my router: 
when Christmas is NOT enough! 

^^^H Released 18/04/2014 

I By Eloi Vanderbeken - Synacktiv 



I don't know about you, but I love Easter! 

■ And with Sercomm, it's Easter every day! 
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Remember the TCP/32764 router ■■ 

backdoor? A . j 



■ Gives root shell, no authentication 

■ Dump entire configuration 

■ 4 affected manufacturers (Cisco, Linksys, 
NetGear, Diamond) 

■ 24 router models confirmed vulnerable 

■ 6000 vulnerable routers on the Internet 



■ Introduced by Sercomm 




■ (more info: https://github.com/elvanderb/TCP-32764 ) 
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was patched! 



■ 



zmaile commented 1 1 days ago 

I brought this issue up with netgear support (2014/01/17), and just in the last few days they have 
released a new firmware version that resolves the port 32764 issue. The new firmware is available on 
their website (http://downloadcenter.netgear.com/other/) 

I've confirmed that the below version works correctly. 

http://www.downloads.netgear.com/flles/GDC/DGN1 000/DGN1 000-V1 .1 .00.49WW.zip 

If the original backdoor was a planned 'feature', then its possible that there is a knocking sequence 
required to unlock port 32764 (that is, port 32764 opens after trying port 5000, then 8000 before 32764 
as an example). 
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No, it can't be a *feature*! 
It was a simple mistake... wasn't it? 






zmaile commented 1 1 days ago 



S x 



I brought this issue up with netgear support (2014/01/1 7), and just in the last few days they have 
released a new firmware version that resolves the port 32764 issue. The new firmware is available on 
their website (http://downloadcenter.netgear.com/other/) 

I've confirmed that the below version works correctly. 

http://www.downloads.netgear.com/files/GDC/DGN1 000/DGN1 000-V1 .1 .00.49WW.zip 



If the original backdoor was a planned Teature^hen its possible that there is a knocking sequence 



required to unlock port 32764 (that is, port 32764 opens after trying port 5000, then 8000 before 32764 
as an example). 
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Let's have a look! 



■ 'binwalk -e' to extract the file system 

■ scfgmgr (the backdoor binary) is still 
present... 

■ But it's now started with a new -I option 



: - /DGN10QQ 1.1. Q9.55 NA . ima . extractedS find . -nana scfgmgr 
. /squashf s- rqg gusr/s bin/scf gmgr^ 

>TUbNllMl!i_l ■ 1 ■ UU.S5jlA.img . extractedS grep -r scfgmgr . 
. /squashf s- root/usr/etc/ rcS .MTCODE : /usr/sbin/scf gmgr 
. / squashf s- root/ usr/ etc/ rc£ . TPjJfi ; fw^rUM n%f gmir 

Vsquashfs-root/usr/etc/rcS^usr^in/scfgmgr^l-^ 

7squashfs-root/usr/etc/lib_md5TblbdyyBa{14JbB831cd62d87adllbec3c ./usr/sbin/scf gmgr 
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What's this -I option? 






scfgmgr now listens on a Unix domain 
socket :'( 



t 


U Mi 


B 





loc_4 027JlG: 


tt type 


li 


$al, 


SOCKSTKEM! 


j air 


$ts 


socket 


move 


$a2. 


$Eero # protocol 


111 


$gp. 


OxB 8 +saved_gp ( $sp > 


bltz 


$v0, 


loc_402738 


move 







7 



l_iJ MS 


a 




Id 


$ts, 


memset 


addiu. 


$s0, 


$sp OxB S +SDckaddress uji 


move 


$a0, 


$s0 # s 


move 


$al, 


$zero # c 


jalr 


$t9 


nemset 


li 


$a2, 


0x6E # n 


lw 


$gp 


OxB 8 +saved_gp ( $sp ) 


addiu. 


$sl, 


$sp OjeB 8+sockaddi'ess uji_ siLn._pa.th. 


la 


$al, 


0x400000 


la 


$t9, 


strncpy 


.addiu 


Sal, 


aTmpScf gmgr soc - 0x400000 ) # " /tmp /scfgmgr socket- " 


11 


$a2, 


0x6B # n 


move 


$a0, 


$sl # dest 


□ air 


$t9 


strncpy 


sh 


$s3, 


OxBO+sockaddress un< $sp > 


lw 


$gp 


0xB8+saved_gp <$sp) 


move 


$a0, 


$sl # name 


la 


$t9, 


unlink 


nop 






□ air 


$t9 


unlink 


move 


$sl, 


$s0 


lw 


$gp, 


0xB8+saved_gp <$sp) 


move 


$a0, 


$s2 # fd 


la 


$t9, 


bind 


move 


$al, 


$s0 # addr 


□ air 


$t9 


bind 


11 


$a2, 


0x6E # len 


lw 


$gp 


0xB8+saved gp < $sp ) 
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Wait... what? 



■ 



There is an alternate option: -f that makes 



M mS S 



li $a0, M_INET # domain 

li $al, SOCKSTREAM # type 

jalr $t9 ; socket 

move $a2, Siero # protocol 

lw $gp , 0jtB8+saved_gp < $sp > 

bgez $v0, loc_402760 

move $s2, $v0 



loc_402 
li 

STO 
la 

sh 
li 
sh 
sro 

STO 

sn 

move 

addiu 

jalr 

li 

In 

b 

addiu 




160: 
$v0, 2 

$zero ,. 0xB8+sockaddress_in- sin_f amily ( $sp > 
$t9, bind 

(vO, 0xB8+sockaddress_in. sin_f amily ( $sp > 
$v0, 32164 

{vO, 0xB8+sockaddress_±n. sin_port ( $sp ) 
Siero, 0xB8+sockaddress_in. sin_addr < $sp ) 
$zero ,. 0xB8+sockaddress_in. sin_zero < $sp > 
(zero ,. 0xB8+sockaddress_in. sin_zero+4 ( $sp > 
$a0, $s2 # fd 

$al $sp , 0xB8+sockaddress_±n tt addr 
$t9 ; bind 

$a2, 0x10 tt len 

$gp , 0xB8+sainGd_gp < $sp ) 
loc_402828 

$sl, $sp , 0xB8+sockaddress_±n 
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Let's see if it's used 



■ 



DGN1000 1 . 1 . 00 . 55_NA. img . extractedS grep -r "scfgmgr -f" . 
. /squashf s- root/usr/sbin/f t_tool 




KSYNACKTIV 

H I DIGITAL SECURITY 



9/18 



What's this 'ft tool'? 






Opens a raw socket 



a 


$t9, 


socket 




i 


$a0, 


MI NET 


ft domain 


i 


$al, 


SOCKPACKET 


tt type 


air 


$t9 


; socket 




i 


$a2, 


DxSSSS 


ft protocol 



Waits for packets 

- with ethertype = 0x8888 

- coming from the Ethernet card or broadcasted 
(check of the destination MAC address) 

Packet format 



00000000 packet_struct 


struc 


# (sizeof=0x228) 


00000000 header: 


ether 


header ? 


0000000E type: 


half 




00000010 sequence: 


.half 




00000012 offset: 


.half 




00000014 chunk: 


.half 




I payload_len: 


half 




00000018 payload: 


.byte 


528 dup(?) 


00000228 packet struct 


ends 
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If payload == md5("DGN1000")... ■ 




la 


M, 


0x400000 


la 


$t9, 


strlen 


addiu 


$vO f 


$vl, (algnlOOO - 0x400000) tt "DGN1000 


lTO 


SaO, 


<aDgnl000+4 - 0x4028FC) <$v0) 


In 


$v0, 


(aDgnlDOO - 0x400000 )< Svl) ft "DGN1000 


addiu 


Ss2, 


$sp t 0x398+cp;y_DGN1000 


SW 


$a0, 


0x3 9 S +cpjr_DGN10 0 0 +4 ( $sp ) 


sn 


$v0, 


0x3 9 S +crpj r _DGN10 0 0 < $sp ) 


jalr 


St 9 


; strlen 


move 


$a0, 


$s2 tt s 


In 


$gp 


0x3 9 S +saved gp ( $sp > 


addiu 


SsO, 


$sp r 0x398+md5_ctx 


la 


$t9, 


MDSInit 


move 


$a0. 


$s0 


jalr 


St 9 


; HDSXnit 


move 


$sl, 


$v0 


lw 


$gp 


0x3 9 S +saved_gp < $sp ) 


move 


Sa2, 


$sl 


la 


$t9, 


MD 5 update 


move 


$a0. 


$s0 


jalr 


St 9 


; MD 5 update 


move 


$al, 


$s2 


lw 


$gp 


0x3 9 S +saved_gp < Ssp ) 


addiu 


$sl, 


$sp , 0x398+var_88 


la 


$t9, 


HDSEinal 


move 


Sal, 


$s0 


jalr 


$t9 


; MDSEinal 


move 


$a0, 


$sl 


lw 


$gp 


0x398 +saved_gp < $sp > 


addiu 


$a0, 


$sp , 0x398+packet payload tt si 


la 


$t9. 


memomp 


move 




Ssl tt s2 


jalr 


$t9 


meim.jiqj 


li 


$a2. 


0x10 tt n 


lw 


$gp 


0x398 +saved_gp < $sp > 


bnez 


$v0, 


main, loop 


addiu 


Sal, 


Ssp. 0x398+fd set 
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And if packet type == 0x201 ... 



lhu 




0x398+packet . type < $sp > 


111 


$gp. 


0x398+saved_gp ( $sp ) 


audi 


$vO, 


$vl, OxEE 


sll 


$vO, 


8 


srl 


$vl. 


S 


Or 


5vi, 


5vO, $vl 


li 


$vO, 


0x201 


beq 


$vl. 


$v0, loc 401240 


li 


$sl. 


0x228 



■ h3 m 1 


loc_4 01240: 








la 


$a0. 


0x400000 






la 


$t9. 


system 






nop 










j air 




- t system 






addiu 


$a0. 


aEchoOpen ftBev - 0x400000) 




"echo OPEN FT > /dev/console " 


ill 


$gp 


0x398 +saved_gp ( $sp ) 






nop 










la 


$a0. 


0x400000 






la 


$ts. 


system 






nop 










3 air 




- t system 






addiu 


$a0. 


aKillallScfgmgr - 0x400000) 


tt 


"killall scfgmgr" 


111 


$gp 


0x398 +saved_gp < $sp ) 






nop 










la 


$t9. 


sleep 






nop 










J air 


$t9 


; sleep 






li 


$a0. 


1 # seconds 






In 


$gp. 


0x398+saved gp<$sp) 






nop 










la 


$a0. 


0x400000 






la 


$tJ, 


system 






nop 










jalr 


$ts 


; system 






addiu 


$a0, 

(7 


allsrSbinScfgmgr - 0x400000) 

» ** i 




" /usr /sbin/scfgmgr -f £" 




system("scfgmgr -f &")!!! 
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So you can reactivate the ■ 
backdoor again... 

■ If you're on the LAN 

■ Or if you're an Internet provider (if you're one-hop 
away, you can craft Ethernet headers) 



■ It's DELIBERATE 



■ You can also use the 0x200 packet type to ping 
the router (it will respond with its MAC address) 
and 0x202 to change its LAN IP address 




I don't always patch backdoors... ■ 
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Because a root shell is not enough ■ 



You can now (among other things) make 
the router LEDs flash with the 33, 34 and 
35th message :) 






jalr 


St 9 


addiu 


SaO, 


lw 


Sgp, 


nop 




la 


SaO, 


la 


St9, 


nop 




□ air 


St 9 


addiu 


SaO, 


lw 


Sgp. 


nop 




la 


SaO, 


la 


St9, 


nop 




□ air 


St 9 


addiu 


SaO, 


lw 


Sgp. 


nop 




la 


SaO, 


la 


$t9, 


nop 




□ air 


$t9 


addiu 


SaO, 


lw 


Sgp, 



r set_led_on 
<aPo«er_green - 0x400000) 
0xl0698+var_10678 ( $sp ) 

0x400000 
set led on 

r set_led_on 
<aPower_red - 0x400000) 
0xl0698+var_10678 ( $sp ) 

0x400000 
set led on 



: set_led_on 

alnternet green - 0x400000) 
0xl0698+var_10678 ( $sp ) 



tt jurjitable 00401284 case 34 

0x400000 
set_led_o f f 
1 

(consolemode - 0x10000030 )( $s6 ) 
set_led_o f f 
(aPoiiver_green - 0x400000) # "poi»er_gr een " 
0x10 6 9 8 + var_10 6 7 8 ( S=P > 



set_led_o £ f 
(aPoner_red - 0x400000) # "po™r_red" 
0xl0698+var_10678($sp) 




set_led_o f f 

al nterne t_gr een - 0x400000) # "internet_ 
0x10 6 9 8 + irar_10 6 7 8 < $sp ) 



addiu 


SaO, 


(aPower red - 0x400000) # "power red" 


li 


$a2, 


OxEEEEEEEE 




li 


$a3. 


5 




jalr 


$t9 


set led blink 




sw 


$s0, 


0x106 98+var_10688 ( $sp ) 


lw 


Sgp, 


0x10 698 +var_10 678 


<S=P> 


li 


$al. 


1 




la 


$a0, 


0x400000 




la 


St9, 


set led blink 




addiu 


$a0, 


(alnternet green 


- 0x400000) tt " internet_gr een 1 


li 


$a2. 


OxEEEFFFFF 




li 


$a3, 


5 




jalr 


St 9 


set led blink 




sw 


$s0, 


0x106 98+var_10688 ( $sp ) 


lw 


Sgp, 


0x10 698 +var_10 678 


<$sp) 


li 


Sal, 


1 




la 


SaO, 


0x400000 




la 


St9, 


set led blink 




addiu 


SaO, 


(alnternet red - 


0x400000) # " inter Hatred" 


li 


$a2. 


OxEEEFFFFF 




li 


Sa3, 


5 




jalr 


St 9 


set led blink 




sw 


$s0, 


0x10 698 +var_10 688 


($sp) 


lw 


$gp. 


0x10698 + var_10 678 


<$sp) 


li 


Sal, 


1 




la 


SaO, 


0x400000 




la 


St9, 


set led blink 




addiu 


$a0, 


(aDsl - 0x400000) 


tt "dsl" 


li 


Sa2, 


OxEEEFFFFF 




li 


$a3, 


5 




jalr 


St 9 


set led blink 




s» 


$s0, 


0x10 698 +var_10 688 


(S=P> 


lw 


Sgp, 


0x10 698 +var_10 678 


<Ssp> 


li 


Sal, 


1 




la 


SaO, 


0x400000 




la 


St9, 


set led blink 




addiu 


$a0. 


(aUsb - 0x400000) 


tt "usb" 
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But where does it come from? ■ 



■ The 0x8888 ethertype and packet structure 
is used in an old Sercomm update tool: 

http://wiki.openwrt.org/_media/toh/netgear/dg834.g.v4/nftp.c 

- lazy guys, they didn't even code their new 
backdoor from scratch ;) 

■ It may be present in other hardware but 
hard to tell: 

- No easy way to scan 

- MD5 signature will certainly be different as it's 
based on the router commercial name 
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How to detect it? 



■ 



■ For DGN1000, simply use the PoC from 
your LAN 

■ For other routers, the simplest way is to: 

- Use 'binwalk -e' to extract the file system 

- Search for 'ft tool' or grep -r 'scfgmgr -f 

- Use I DA to confirm 
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We hope you enjoyed this 
presentation :) 

■ PoC is available here: 

http://synacktiv.com/ressources/ethercomm.c 




